How to set HTTPS Redirection - Tomcat

What is an SSL Certificate?

One of the most important components of online business is creating a trusted environment where potential customers feel confident in making purchases. SSL certificates create a foundation of trust by establishing a secure connection. To ensure visitors their connection is secure, browsers provide visual cues, such as a lock icon or a green bar.

An SSL certificate is necessary to create SSL connection. You would need to give all details about the identity of your website and your company as and when you choose to activate SSL on your web server. Following this, two cryptographic keys are created - a Private Key and a Public Key.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network. In today’s Internet focused world, the SSL protocol is typically used when a web browser needs to securely connect to a web server over the inherently insecure Internet.

How Does it Work?

An end-user asks their browser to make a secure connection to a website (e.g.https://www.example.com)

The browser obtains the IP address of the site from a DNS server then requests a secure connection to the website.

To initiate this secure connection, the browser requests that the server identifies itself by sending a copy of its SSL certificate to the browser.

The browser checks the certificate to ensure:

That it is signed by a trusted CA

That it is valid - that it has not expired or been revoked

That it conforms to required security standards on key lengths and other items.

That the domain listed on the certificate matches the domain that was requested by the user.

When the browser confirms that the website can be trusted, it creates a symmetric session key which it encrypts with the public key in the website's certificate. The session key is then sent to the web server.

The web server uses its private key to decrypt the symmetric session key.

The server sends back an acknowledgment that is encrypted with the session key.

From now on, all data transmitted between the server and the browser is encrypted and secure.

How does SSL Certificate Create a Secure Connections?

When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an “SSL Handshake”. Note that the SSL Handshake is invisible to the user and happens instantaneously.

Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa.

Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key is used to encrypt all transmitted data.

2) Server sends a copy of its SSL Certificate, including the server’s public key.

3) Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.

4) Server decrypts the symmetric session key using its private key and sends back an acknowledgment encrypted with the session key to start the encrypted session.

Steps to Configure Auto Redirect from HTTP to HTTPS on Apache Tomcat

1)In ~TomcatInstallation/conf/server.xml

For HTTP Connector, set the redirect port to the HTTPS connector port. It will look somewhat like this:

To set automatic redirect HTTP requests to HTTPS change the redirect Port from 8443 to 443.

2) In ~TomcatInstallation/conf/web.xml

Add below configuration but make sure to add it after all the servlet mapping tags.

<!-- added by HostingRaja for automatic redirect from HTTP to HTTPS -->

<security-constraint>

<web-resource-collection>

<web-resource-name>Entire Application</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

Restart the tomcat now and all the HTTP requests will automatically be redirected to HTTPS.